b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                 Target Dates Have Not Been Established to\n                    Eliminate or Reduce Taxpayer Social\n                      Security Numbers From Outgoing\n                              Correspondence\n\n\n\n                                         August 13, 2010\n\n                              Reference Number: 2010-40-098\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n\n Phone Number | 202-622-6500\n Email Address | inquiries@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                                   HIGHLIGHTS\n\n\nTARGET DATES HAVE NOT BEEN                            (SSN ER) Plan. A majority of a sample of\nESTABLISHED TO ELIMINATE OR                           SSN ER Plan accomplishments could be\nREDUCE TAXPAYER SOCIAL SECURITY                       validated. However, most of the supporting\nNUMBERS FROM OUTGOING                                 documentation had to be reassembled, and\n                                                      it was not clear if the IRS had validated the\nCORRESPONDENCE\n                                                      accomplishments before reporting them.\n                                                      Milestones for Phase 3 of the SSN ER Plan\nHighlights                                            have not been established.\n                                                      The IRS will not be eliminating or reducing\nFinal Report issued on August 13, 2010                the use of taxpayers\xe2\x80\x99 Social Security\n                                                      Numbers in the immediate future. The IRS\nHighlights of Reference Number: 2010-40-098           has many systems, notices, and forms that\nto the Internal Revenue Service Deputy                use Social Security Numbers which require\nCommissioner for Operations Support.                  significant analysis before Social Security\n                                                      Number use is eliminated or reduced. The\nIMPACT ON TAXPAYERS                                   IRS focused first on internal forms using\nMore than 130 million taxpayers entrust the           Social Security Numbers and eliminating\nInternal Revenue Service (IRS) with sensitive         employees\xe2\x80\x99 Social Security Numbers from its\nfinancial and personal data, much of it on paper      systems.\ndocuments requiring protection. Taxpayers             WHAT TIGTA RECOMMENDED\nneed to be assured that the IRS is taking every\nprecaution to protect their private information       TIGTA recommended that the Deputy\nfrom inadvertent disclosure.                          Commissioner for Operations Support maintain\n                                                      documentation to support major deliverables\nWHY TIGTA DID THE AUDIT                               and key meetings so that it is readily available\nThis audit was initiated because the Social           for examination. The Deputy Commissioner\nSecurity Number is now a vital piece of               should also validate data received from the\ninformation needed to function in American            business units and all accomplishments to\nsociety to pay taxes, obtain a driver\xe2\x80\x99s license, or   ensure all needed actions are complete, and\nopen a bank account, among other things.              refine and update the milestones for the\nIdentity theft affects tax administration when an     SSN ER Plan to ensure timely progress of the\nindividual intentionally uses the Social Security     strategy.\nNumber of another person to file a false tax          The IRS agreed with the recommendations.\nreturn or fraudulently obtain employment.             It created a dedicated SSN ER shared folder\nAnother person\xe2\x80\x99s Social Security Number is the        to maintain documentation related to major\nmost valuable tool an identity thief can obtain to    SSN ER Program deliverables and key\ncommit financial fraud, and the Social Security       meetings and will ensure specific report and\nNumber becomes even more valuable if it is            source materials are readily available for\nlinked to other personal data of the Social           examination. The SSN ER Program team\nSecurity Number owner, such as information            has also identified a team member as the\nrequired to prepare a tax return. TIGTA               Records Historian. The IRS will implement a\nconducted this audit to determine whether the         data validation process for all SSN ER Plan\nIRS is efficiently eliminating the unnecessary        accomplishments to ensure all required\ncollection and use of taxpayer Social Security        actions are completed. Finally, the IRS will\nNumbers.                                              strengthen Program milestones by refining\n                                                      and updating milestones quarterly to ensure\nWHAT TIGTA FOUND\n                                                      timely progress of Program strategies.\nIn response to Office of Management and\nBudget Memorandum 07-16, the IRS\ndeveloped and is implementing its Social\nSecurity Number Elimination and Reduction\n\x0c                                           DEPARTMENT OF THE TREASURY\n                                                WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                           August 13, 2010\n\n\n MEMORANDUM FOR DEPUTY COMMISSIONER FOR OPERATIONS SUPPORT\n\n FROM:                       Michael R. Phillips\n                             Deputy Inspector General for Audit\n\n SUBJECT:                    Final Audit Report \xe2\x80\x93 Target Dates Have Not Been Established to\n                             Eliminate or Reduce Taxpayer Social Security Numbers From\n                             Outgoing Correspondence (Audit # 200940040)\n\n This report presents the results of our review to determine whether the Internal Revenue Service\n is efficiently eliminating the unnecessary collection and use of taxpayer Social Security\n Numbers. This audit was included in our Fiscal Year 2010 Annual Audit Plan and addresses the\n major management challenge of Taxpayer Protection and Rights.\n Management\xe2\x80\x99s complete response to the draft report is included as Appendix IV.\n Copies of this report are also being sent to the Internal Revenue Service managers affected by the\n report recommendations. Please contact me at (202) 622-6510 if you have questions or Michael\n E. McKenney, Assistant Inspector General for Audit (Returns Processing and Account Services),\n at (202) 622-5916.\n\x0c                     Target Dates Have Not Been Established to Eliminate or Reduce\n                            Taxpayer Social Security Numbers From Outgoing\n                                            Correspondence\n\n\n\n\n                                             Table of Contents\n\nBackground ..........................................................................................................Page 1\n\nResults of Review ...............................................................................................Page 4\n          The Internal Revenue Service Has Implemented the Social\n          Security Number Elimination and Reduction Plan.......................................Page 4\n          The Internal Revenue Service Will Not Be Eliminating or\n          Reducing the Use of Taxpayers\xe2\x80\x99 Social Security Numbers\n          in the Immediate Future ................................................................................Page 5\n                    Recommendation 1:..........................................................Page 8\n\n                    Recommendations 2 and 3: ......................................................... Page 9\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................Page 10\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................Page 12\n          Appendix III \xe2\x80\x93 Report Distribution List .......................................................Page 13\n          Appendix IV \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ......................Page 15\n\x0c         Target Dates Have Not Been Established to Eliminate or Reduce\n                Taxpayer Social Security Numbers From Outgoing\n                                Correspondence\n\n\n\n\n                         Abbreviations\n\nIRS                Internal Revenue Service\nOMB                Office of Management and Budget\nSSN ER             Social Security Number Elimination and Reduction\n\x0c                  Target Dates Have Not Been Established to Eliminate or Reduce\n                         Taxpayer Social Security Numbers From Outgoing\n                                         Correspondence\n\n\n\n\n                                           Background\n\nIn February 2010, the Federal Trade Commission reported that identity theft was the number one\nconsumer complaint category in Calendar Year 2009. 1 Identity theft occurs when someone uses\nPersonally Identifiable Information, such as an individual\xe2\x80\x99s name, Social Security Number,\ncredit card numbers, or other account information, to commit fraud and other crimes. The\nInternal Revenue Service (IRS) Office of Privacy, Information Protection, and Data Security\ndefines Personally Identifiable Information as any combination of information that can be used\nto uniquely identify, contact, or locate a person and could subsequently be used for identity theft.\nMore than 130 million taxpayers entrust the IRS with sensitive financial and personal data, much\nof it on paper documents requiring\nprotection. For Calendar Year 2010, 2\nthe IRS mailed more than 42 million\nnotices and letters to individual\ntaxpayers for various reasons,\nincluding:\n\xe2\x80\xa2   More than 20.1 million balance\n    due notices. Taxpayers with\n    outstanding tax liabilities receive\n    balance due notices informing\n    them of their outstanding tax\n    liabilities. Shown at right is a\n    portion of a notice that the IRS\n    mailed to a taxpayer.\n\xe2\x80\xa2   More than 2 million letters issued\n    by the Automated Collection\n    System. 3 For example, these are letters mailed to taxpayers advising them that a levy is\n    being placed on their property or to confirm a taxpayer\xe2\x80\x99s payment agreement to satisfy an\n    outstanding tax liability.\n\xe2\x80\xa2   More than 9.7 million correspondence letters. Correspondence letters can request\n    information from taxpayers or advise them of possible adjustments to their tax returns.\n\n\n1\n  Consumer Sentinel Network Data Book for January\xe2\x80\x93December 2009, Federal Trade Commission, February 2010.\n2\n  Volumes are as of May 26, 2010.\n3\n  A telephone contact system through which telephone assistors collect unpaid taxes and secure tax returns from\ndelinquent taxpayers who have not complied with previous notices.\n                                                                                                        Page 1\n\x0c                  Target Dates Have Not Been Established to Eliminate or Reduce\n                         Taxpayer Social Security Numbers From Outgoing\n                                         Correspondence\n\n\n\nMost of these notices and letters include taxpayers\xe2\x80\x99 Social Security Numbers because they\nrequire the taxpayer to respond to the IRS. Taxpayers need to be assured that the IRS is taking\nevery precaution to protect their private information from inadvertent disclosure.\nAlthough the Social Security Number was created as a means to track workers\xe2\x80\x99 earnings and\neligibility for Social Security benefits, it is now a vital piece of information needed to function in\nAmerican society. Because of its unique nature and broad applicability, the Social Security\nNumber has become the identifier of choice for public and private sector entities, and it is used\nfor numerous non-Social Security purposes. Today, United States citizens generally need a\nSocial Security Number to pay taxes, obtain a driver\xe2\x80\x99s license, or open a bank account, among\nother things. Identity theft affects tax administration when an individual intentionally uses the\nSocial Security Number of another person to file a false tax return or fraudulently obtain\nemployment. Another person\xe2\x80\x99s Social Security Number is the most valuable tool an identity\nthief can obtain to commit financial fraud, and the Social Security Number becomes even more\nvaluable if it is linked to other personal data of the Social Security Number owner, such as\ninformation required to prepare a tax return.\nLegislative Requirements\nTwo primary laws, the Privacy Act of 1974 4 and the E-Government Act of 2002, 5 give Federal\nagencies responsibilities for protecting Personally Identifiable Information, including ensuring its\nsecurity. In addition, the Federal Information Security Management Act of 2002 6 requires\n                        agencies to develop, document, and implement agency-wide programs to\n                        provide security for their information and information systems (which\n                        include Personally Identifiable Information and the systems on which it\n                        resides).\n                       The Office of Management and Budget (OMB) has also issued numerous\n                       memoranda to Federal agencies. On May 22, 2007, the OMB issued\nMemorandum 07-16 (M-07-16), \xe2\x80\x9cSafeguarding Against and Responding to the Breach of\nPersonally Identifiable Information,\xe2\x80\x9d to the heads of executive departments and agencies\nrequiring that:\n        Within 120 days from the date of this memo, agencies must establish a plan in which the\n        agency will eliminate the unnecessary collection and use of social security numbers\n        within eighteen months.\nThe memorandum requires agencies to review and reduce the volume of Personally Identifiable\nInformation to the minimum necessary and reduce the use of Social Security Numbers. The\n\n\n4\n  5 U.S.C. Section (\xc2\xa7) 552a (2006).\n5\n  Pub. L. 107-347, 116 Stat. 2899, 44 U.S.C. \xc2\xa7 101.\n6\n  44 U.S.C. \xc2\xa7\xc2\xa7 3541 - 3549.\n                                                                                               Page 2\n\x0c                Target Dates Have Not Been Established to Eliminate or Reduce\n                       Taxpayer Social Security Numbers From Outgoing\n                                       Correspondence\n\n\n\nmemorandum emphasizes the need for proper privacy and security safeguards to protect\nPersonally Identifiable Information in both electronic and paper-based formats.\nThis review was performed at the IRS National Headquarters in Washington, D.C., in the Office\nof Privacy, Information Protection, and Data Security and the Office of Privacy in\nPhiladelphia, Pennsylvania, during the period June 2009 through May 2010. We also conducted\ninterviews in the Wage and Investment Division Office of Taxpayer Correspondence in\nLanham, Maryland, and Austin, Texas. We conducted this performance audit in accordance with\ngenerally accepted government auditing standards. Those standards require that we plan and\nperform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our\nfindings and conclusions based on our audit objective. We believe that the evidence obtained\nprovides a reasonable basis for our findings and conclusions based on our audit objective.\nDetailed information on our audit objective, scope, and methodology is presented in Appendix I.\nMajor contributors to the report are listed in Appendix II.\n\n\n\n\n                                                                                           Page 3\n\x0c               Target Dates Have Not Been Established to Eliminate or Reduce\n                      Taxpayer Social Security Numbers From Outgoing\n                                      Correspondence\n\n\n\n\n                                Results of Review\n\nThe Internal Revenue Service Has Implemented the Social Security\nNumber Elimination and Reduction Plan\nIn response to OMB M-07-16, the IRS developed and is implementing its Social Security\nNumber Elimination and Reduction (SSN ER) Plan. The Plan outlines the IRS\xe2\x80\x99 implementation\nmethodology, transition to new business practices, and the future state of the SSN ER Program.\nThe IRS submitted the first release of its SSN ER Plan to the Department of the Treasury in\nNovember 2007. To date, the IRS has provided three releases of its Plan to reduce or eliminate\nthe use of Social Security Numbers to the Department of the Treasury for incorporation into the\nDepartment\xe2\x80\x99s overall plan. The final release was submitted in February 2009.\nThe SSN ER Plan is broken down into three phases. The IRS is in Phase 2.\n   \xe2\x80\xa2   Phase 1: Data Gathering and Inventory.\n   \xe2\x80\xa2   Phase 2: Review Analysis and Identification of Solutions.\n   \xe2\x80\xa2   Phase 3: Implementation and Compliance Management.\nThe SSN ER Plan methodology includes identifying opportunities to eliminate or reduce Social\nSecurity Number use, reducing IRS reliance on the Social Security Number, and replacing Social\nSecurity Numbers as identifiers. The transition to new business practices includes introducing\nnew policies and procedures enterprise-wide to institutionalize the need to continuously\nreconsider Social Security Number use. These practices will be communicated internally to IRS\nemployees as well as externally to taxpayers, agency\npartners, and stakeholders.\n                                                             The IRS\xe2\x80\x99 key message is to\nThe future state of the SSN ER Program involves             improve taxpayer service and\nmoving into compliance management. This includes             reduce taxpayer burden by\nimplementing the SSN ER Plan, business unit progress         minimizing the use of Social\ntracking and reporting, monitoring adherence with              Security Numbers and\ninternal policies and Federal Social Security Number           increasing information\n                                                             safeguards and awareness\nrequirements, and internal and external communication          regarding agency use.\nand awareness.\nThe IRS has also been an active participant in several work groups with the Department of the\nTreasury and other Federal agencies exploring ways to minimize or eliminate Social Security\nNumber use.\n\n                                                                                            Page 4\n\x0c                  Target Dates Have Not Been Established to Eliminate or Reduce\n                         Taxpayer Social Security Numbers From Outgoing\n                                         Correspondence\n\n\n\nThe Internal Revenue Service Will Not Be Eliminating or Reducing the\nUse of Taxpayers\xe2\x80\x99 Social Security Numbers in the Immediate Future\nDuring Fiscal Year 2009, the IRS mailed 201 million notices (including letters) to taxpayers \xe2\x80\x94\nmost of which contained taxpayer Social Security Numbers. The IRS has many systems, notices,\nand forms that use taxpayer Social\nSecurity Numbers\xe2\x80\x94all requiring\nsignificant analysis to determine if\ntaxpayer Social Security Numbers are\nnecessary or can be eliminated. The\nfollowing have been identified that may\ncontain taxpayer Social Security\nNumbers.\n\xe2\x80\xa2   More than 500 different computer\n    systems.\n\xe2\x80\xa2   More than 6,000 types of internal\n    and external forms.\n\xe2\x80\xa2   20 categories of individual taxpayer notices (e.g., Adjustments, Balance Due, and Math\n    Error), 155 notice types (e.g., Examination Adjustment Notice; Balance Due $5 or More, No\n    Math Error; and Math Error, Overpayment of $1 or More). The IRS stated it has more than\n    800 letters and correspondence.\nSince the IRS submitted its first release of the SSN ER Plan to the Department of the Treasury in\nthe first quarter of Fiscal Year 2008, it has redacted or truncated taxpayers\xe2\x80\x99 Social Security\nNumbers from only a small number of systems, notices, and forms.\n\xe2\x80\xa2   Transmittal Document (Form 3210) used when transferring taxpayer files between IRS\n    functions and offices. The IRS now lists the last four digits of the taxpayer\xe2\x80\x99s Social Security\n    Number on the Form.\n\xe2\x80\xa2   Notices and letters associated with the economic stimulus payment 7 and Identity Theft\n    Program. 8 The IRS developed the new notices and letters so that they would not require the\n    taxpayer\xe2\x80\x99s full Social Security Number.\n\n\n\n\n7\n  The IRS mailed approximately 123 million economic stimulus payment notices to taxpayers between April and\nDecember 2008.\n8\n  The IRS mailed about 20,700 Identity Theft Program notices and letters to taxpayers between October 2007 and\nJanuary 2009.\n                                                                                                         Page 5\n\x0c                  Target Dates Have Not Been Established to Eliminate or Reduce\n                         Taxpayer Social Security Numbers From Outgoing\n                                         Correspondence\n\n\n\n\xe2\x80\xa2   Integrated Data Retrieval System 9 command code used to verify taxpayer identities. This\n    command code uses only the last 4 digits of the primary or secondary taxpayer\xe2\x80\x99s Social\n    Security Number, the first 10 characters of the last name (or less, if there are less than\n    10 characters in the last name), and the date of birth without the year to search for the\n    matching name(s) and address(es). The taxpayer needs to provide only the last four digits of\n    his or her Social Security Number.\n    Since the command code was made available to IRS employees, about 50,600 requests were\n    made from October 27, 2009, through March 31, 2010. About 35,800 of the command code\n    requests (71 percent) were successful.\nIn addition, the IRS issued Internal Revenue Bulletin 2009-51 that outlines a pilot program to\ntruncate the Social Security Number on the printed copies of the U.S. Information Return series\n(Form 1099) and Mortgage Interest Statement (Form 1098).\n\nThe IRS focused first on internal forms and employee Social Security Numbers\nThe IRS stated that it focused first on internal forms using Social Security Numbers because it\nhas more latitude to change the presentation of the data on the form if it does not leave the IRS.\nIf it leaves the IRS, consideration must be given to the effect any changes will make on the\nreceiving organization. The IRS has also focused on eliminating employee\xe2\x80\x99s Social Security\nNumbers from its systems.\nSystems and taxpayer correspondence containing taxpayer Social Security Numbers present\ncomplications because processes must also be analyzed and revised before reducing or\neliminating taxpayer Social Security Numbers. This is because Social Security Numbers are\nused to associate correspondence and documents with taxpayer accounts.\nIn addition, before revising forms and notices, the IRS must first analyze the various options for\neliminating or reducing the Social Security Numbers (e.g., eliminating or masking the Social\nSecurity Number, or using barcodes). The IRS began the lengthy process of analyzing the\nprogramming costs for the various systems in February 2009. Initial results of the analysis were\nprovided in November 2009.\n\nControls need to be improved to ensure the IRS takes all necessary actions to\nreduce or eliminate the unnecessary use of Social Security Numbers\nAs the IRS moves forward to reduce and eliminate the use of taxpayer Social Security Numbers,\nit needs to improve internal controls to ensure all planned actions are appropriately and timely\naccomplished. The IRS needs to maintain a complete list of systems, notices, and forms with\n\n\n9\n  IRS computer system capable of retrieving or updating stored information. It works in conjunction with a\ntaxpayer\xe2\x80\x99s account records.\n                                                                                                             Page 6\n\x0c                Target Dates Have Not Been Established to Eliminate or Reduce\n                       Taxpayer Social Security Numbers From Outgoing\n                                       Correspondence\n\n\n\nassociated actions for monitoring purposes. It also needs to ensure milestones are established\nand updated when necessary.\nThe majority of the accomplishments in the SSN ER Plan could be validated but\ndocumentation needs to be improved\nRelease 3 of the SSN ER Plan includes 35 statements purporting Plan accomplishments. The\nIRS was able to support the majority of the nine Plan accomplishments tested. However, most of\nthe supporting documents had to be reassembled.\nIn addition, it was unclear if the IRS had validated the accomplishments before reporting them.\nFor example, the Plan stated that the IRS had implemented the use of a Standard Employee\nIdentifier in lieu of the Social Security Number for one of the IRS\xe2\x80\x99 major application systems.\nIRS officials also advised us that the option to sign into the system with a Social Security\nNumber was to be removed by February 2010. Nevertheless, as of April 15, 2010, employees\nstill had the ability to sign into the system using either a Social Security Number or a Standard\nEmployee Identification Number.\nBecause documentation was not adequately maintained, there was no support to corroborate the\nPlan\xe2\x80\x99s accomplishments. Without validation, there\nis no assurance that all systems and forms using\ntaxpayers\xe2\x80\x99 Social Security Numbers are identified          Documentation was not\nand reduced or eliminated. The inability to           adequately maintained to support\ndocument or explain the steps taken to validate the         and corroborate Plan\n                                                             accomplishments.\naccomplishments makes it difficult for the IRS to\ndemonstrate why it may not be feasible to remove or\nreduce Social Security Numbers from systems and\noutgoing correspondence.\nThe SSN ER Program currently consists of only four employees. The SSN ER Program has\nexperienced management and employee turnover during the development and implementation of\nthe SSN ER Plan. Managers have been detailed to other assignments or taken other positions\nwithin the IRS. One analyst who reviewed data was a part-time employee. Finally, the current\nProgram manager stated that the SSN ER Program does not have the level of resources needed to\ndedicate one person to validate data and accomplishments (i.e., ensure taxpayer Social Security\nNumbers have been eliminated or masked, or ensure support for not removing them has been\nevaluated and approved).\nThe Office of Privacy, Information Protection, and Data Security has also been developing an\nIRS-wide Authentication Strategy. The Authentication Strategy promotes data protection and\nenables ease of access to maintain public confidence and improve customer service. The goals\nare to enhance an IRS-wide authentication internal control framework to address risk, deter\nfraudulent access, and institutionalize a common set of principles for authenticating taxpayers\nwhen contacting the IRS.\n\n                                                                                            Page 7\n\x0c                Target Dates Have Not Been Established to Eliminate or Reduce\n                       Taxpayer Social Security Numbers From Outgoing\n                                       Correspondence\n\n\n\nThere are no target dates for decisions on whether taxpayers\xe2\x80\x99 Social Security Numbers can\nbe removed from notices and/or letters\nDetailed Implementation and Compliance Management milestones have not been established.\nThe SSN ER Plan provided a strategic roadmap that showed Ongoing Compliance Management\nbeginning in Calendar Year 2011. However, milestones have not been updated since Release 3\nof the SSN ER Plan or established for Phase 3 of the Plan, Implementation and Compliance\nManagement. In addition, while the IRS has prepared draft outcome measures for the SSN ER\nProgram related to forms and notices, it has not developed outcome measures related to its\nsystems.\nThe IRS was using a tracking tool for each of the targeted SSN ER Plan areas (e.g., System\nTracking Tool, a Correspondence Tracking Tool (tracks notices and letters), and a Forms\nTracking Tool). Each tool was populated with inventory data (notices, letters, systems, etc.).\nAfter IRS offices responsible for the notices, letters, or systems decided if Social Security\nNumbers were essential or not essential, the tracking tools were updated. There were no target\ndates for any of the pending actions or decisions.\nThe IRS is creating an electronic SSN ER Program Compliance Management tool. The IRS\nstated this tool will eventually replace the need for the SSN ER Program tracking tools and\nspreadsheets. The new tool will allow for real-time updates and will assist the SSN ER Program\nteam in its daily tracking of the ongoing Social Security Number mitigation progress. It will also\nallow the team to follow up on future SSN ER Plan compliance actions and provide progress\nreporting. However, the tool only tracks actions; it does not set milestones or expectations.\nInternal controls should be designed to assure that ongoing monitoring occurs as the SSN ER\nPlan progresses. Monitoring should be performed continually and be ingrained in the operations.\nIt includes regular management and supervisory activities, comparisons, reconciliations, and\nother actions people take in performing their duties. The key benefit to monitoring is that is\nhelps assure project performance is observed and measured regularly to identify variances from\nthe Plan. Without interim milestones, it is difficult to gauge the progress of the Plan.\n\nRecommendations\nThe Deputy Commissioner for Operations Support should:\nRecommendation 1: Maintain documentation to support major deliverables and key\nmeetings so that it is readily available for examination.\n       Management\xe2\x80\x99s Response: IRS management agreed with this recommendation. The\n       IRS created a dedicated SSN ER shared folder to maintain documentation related to\n       major SSN ER Program deliverables and key meetings and will ensure specific report\n       and source materials are readily available for examination. The SSN ER Program team\n       has also identified a team member as the Records Historian. The Records Historian will\n\n                                                                                           Page 8\n\x0c              Target Dates Have Not Been Established to Eliminate or Reduce\n                     Taxpayer Social Security Numbers From Outgoing\n                                     Correspondence\n\n\n\n      establish record retention standards, as needed, on documents not currently covered in a\n      records control schedule.\nRecommendation 2: Validate data received from the business units and all accomplishments\nto ensure all needed actions are complete.\n      Management\xe2\x80\x99s Response: IRS management agreed with this recommendation. The\n      IRS will implement a data validation process for all SSN ER Plan accomplishments to\n      ensure all required actions are completed.\n      As part of this process, the IRS will leverage a current IRS application as an SSN ER\n      Compliance Management Tool to track, monitor, and report ongoing SSN ER compliance\n      progress throughout the enterprise. This Tool will house all SSN ER Program\n      compliance data and establish an electronic case file for each system, notice, letter, and\n      form that uses Social Security Numbers. This system is currently going through user\n      acceptance testing and will be released by October 1, 2010.\nRecommendation 3: Refine and update the milestones for the SSN ER Plan to ensure timely\nprogress of the strategy.\n      Management\xe2\x80\x99s Response: IRS management agreed with this recommendation. The\n      IRS will strengthen Program milestones by refining and updating milestones quarterly to\n      ensure timely progress of Program strategies.\n      The IRS SSN ER 2-D Barcode Project is currently producing documents and artifacts for\n      Project Milestones 1 and 2 as defined by the Enterprise Life Cycle. The 2-D Barcode\n      Project, one of the solutions for the SSN ER Plan, will encode the Social Security\n      Number within a two-dimensional barcode on IRS notices and will also provide the\n      necessary tools to read and identify taxpayers when they respond to IRS notices. The\n      Project is scheduled to complete Milestones 1 and 2 by October 1, 2010. Additional\n      milestone dates will be established at that time.\n\n\n\n\n                                                                                         Page 9\n\x0c                Target Dates Have Not Been Established to Eliminate or Reduce\n                       Taxpayer Social Security Numbers From Outgoing\n                                       Correspondence\n\n\n\n                                                                                   Appendix I\n\n        Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to determine whether the IRS is efficiently eliminating\nthe unnecessary collection and use of taxpayer Social Security Numbers. To accomplish our\nobjective, we:\nI.     Determined the expectations of OMB Memorandum 07-16 (M-07-16), \xe2\x80\x9cSafeguarding\n       Against and Responding to the Breach of Personally Identifiable Information,\xe2\x80\x9d and if the\n       IRS met the Department of the Treasury (Treasury) and OMB expectations.\n       A. Reviewed the IRS\xe2\x80\x99 current plans and reports relating to OMB M-07-16.\n       B. Determined Treasury\xe2\x80\x99s evaluation and opinion/conclusion of the IRS\xe2\x80\x99 submitted\n          plans, efforts, and actions to eliminate the unnecessary use of Social Security\n          Numbers by interviewing officials in the Treasury Office of Privacy and Treasury\n          Records.\n       C. Determined OMB\xe2\x80\x99s evaluation and opinion/conclusion of the Treasury/IRS submitted\n          plans, efforts, and actions to eliminate the unnecessary use of Social Security\n          Numbers by interviewing officials in the OMB Office of Information and Regulatory\n          Affairs.\nII.    Determined the accuracy of the 35 accomplishments cited in the IRS SSN ER Plan,\n       Version 3.0, dated February 17, 2009.\n       A. Met with IRS officials to discuss the process followed for validating the\n          February 17, 2009, SSN ER Plan.\n       B. Selected a judgmental sample of 9 accomplishments from the 35 accomplishment\n          statements and identified the source information supporting the statements. We\n          selected a judgmental sample because of the small population size (35) and to ensure\n          we sampled accomplishments related to systems, notices, and forms.\n       C. Reviewed the source documents and supporting documentation provided by the IRS\n          to determine the accuracy of the Plan statements.\nIII.   Determined if the universal population of IRS systems, notices, and forms appeared\n       complete.\nIV.    Determined the process used to prioritize the Social Security Number inventory to\n       immediately eliminate, replace, or mask the Social Security Number or to include in the\n\n\n                                                                                          Page 10\n\x0c                Target Dates Have Not Been Established to Eliminate or Reduce\n                       Taxpayer Social Security Numbers From Outgoing\n                                       Correspondence\n\n\n\n       enterprise-wide plan to seek an alternative method to safeguard the Social Security\n       Numbers.\nV.     Identified delivery milestones and actions to be taken.\nInternal controls methodology\nInternal controls relate to management\xe2\x80\x99s plans, methods, and procedures used to meet their\nmission, goals, and objectives. Internal controls include the processes and procedures for\nplanning, organizing, directing, and controlling program operations. They include the systems\nfor measuring, reporting, and monitoring program performance. We determined the following\ninternal controls were relevant to our audit objective: Office of Privacy policies, procedures, and\npractices for implementing the SSN ER Plan. We evaluated these controls by interviewing\nmanagement and employees and reviewing documentation to support the accomplishments and\nactivities as outlined in the SSN ER Plan.\n\n\n\n\n                                                                                           Page 11\n\x0c               Target Dates Have Not Been Established to Eliminate or Reduce\n                      Taxpayer Social Security Numbers From Outgoing\n                                      Correspondence\n\n\n\n                                                                             Appendix II\n\n                 Major Contributors to This Report\n\nMichael E. McKenney, Assistant Inspector General for Audit (Returns Processing and Account\nServices)\nAugusta R. Cook, Director\nPaula W. Johnson, Audit Manager\nLynn Faulkner, Lead Auditor\nGeraldine Vaughn, Auditor\n\n\n\n\n                                                                                    Page 12\n\x0c              Target Dates Have Not Been Established to Eliminate or Reduce\n                     Taxpayer Social Security Numbers From Outgoing\n                                     Correspondence\n\n\n\n                                                                         Appendix III\n\n                        Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Services and Enforcement SE\nChief Technology Officer OS:CTO\nCommissioner, Small Business/Self-Employed Division SE:S\nCommissioner, Wage and Investment Division SE:W\nDirector, Privacy, Information Protection, and Data Security OS:P\nAssociate Chief Information Officer, Enterprise Services OS:CTO:ES\nAssociate Chief Information Officer, Strategy and Planning OS:CTO:SP\nDirector, Campus Compliance Services, Small Business/Self-Employed Division SE:S:CCS\nDirector, Collection, Small Business/Self-Employed Division SE:S:C\nDirector, Customer Account Services, Wage and Investment Division SE:W:CAS\nDirector, Customer Assistance, Relationships and Education, Wage and Investment Division\nSE:W:CAR\nDirector, Examination, Small Business/Self-Employed Division SE:S:E\nDirector, Privacy and Information Protection OS:P:PIP\nDirector, Strategy and Finance, Wage and Investment Division SE:W:S\nDeputy Associate Chief Information Officer, Systems Integration OS:CTO:ES:SI\nDirector, Accounts Management, Wage and Investment Division SE:W:CAS:AM\nDirector, Campus Filing and Payment Compliance, Small Business/Self-Employed Division\nSE:S:CCS: FPC\nDirector, Campus Reporting Compliance, Small Business/Self-Employed Division\nSE:S:CCS:CRC\nDirector, Media and Publications, Wage and Investment Division SE:W:CAR:MP\nDirector, Office of Privacy OS:P:PIP:P\nDirector, Portfolio Planning and Estimation OS:CTO:SP:PPE\nDirector, Strategy and Capital Planning OS:CTO:SP:SCP\nChief, Program Evaluation and Improvement, Wage and Investment Division SE:W:S:PRA:PEI\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaisons:\n       Chief Technology Officer OS:CTO\n\n                                                                                 Page 13\n\x0c       Target Dates Have Not Been Established to Eliminate or Reduce\n              Taxpayer Social Security Numbers From Outgoing\n                              Correspondence\n\n\n\nCommissioner, Small Business/Self-Employed Division SE:S\nDirector, Privacy, Information Protection, and Data Security OS:P\nSenior Operations Advisor, Wage and Investment Division SE:W:S\nChief, GAO/TIGTA/Legislative Implementation Branch, Small Business/Self-Employed\nDivision SE:S:CLD:PSP:GTL\nChief, Program Evaluation and Improvement, Wage and Investment Division\nSE:W:S:PRA:PEI\n\n\n\n\n                                                                         Page 14\n\x0c   Target Dates Have Not Been Established to Eliminate or Reduce\n          Taxpayer Social Security Numbers From Outgoing\n                          Correspondence\n\n\n\n                                                   Appendix IV\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                          Page 15\n\x0cTarget Dates Have Not Been Established to Eliminate or Reduce\n       Taxpayer Social Security Numbers From Outgoing\n                       Correspondence\n\n\n\n\n                                                       Page 16\n\x0cTarget Dates Have Not Been Established to Eliminate or Reduce\n       Taxpayer Social Security Numbers From Outgoing\n                       Correspondence\n\n\n\n\n                                                       Page 17\n\x0cTarget Dates Have Not Been Established to Eliminate or Reduce\n       Taxpayer Social Security Numbers From Outgoing\n                       Correspondence\n\n\n\n\n                                                       Page 18\n\x0cTarget Dates Have Not Been Established to Eliminate or Reduce\n       Taxpayer Social Security Numbers From Outgoing\n                       Correspondence\n\n\n\n\n                                                       Page 19\n\x0c'